log2timeline updated to v0.43

log2timeline is a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

GUI has been written in Perl-GTK2 for creating the timeline. Since the GUI is written in GtK2 it will not work on every OS. It has been tested to work on both Linux (tested on Ubuntu) as well as on Mac OS X (tested on Mac OS X 10.5 and 10.6 with X11 installed and Macports to install dependencie

Version 0.43 (06/04/10)

  • [MCAFEE input] Fixed a small bug where the input module would not parse the month value if it was only a single digit
  • [timescanner] Temporary fix was added, excluding index.dat files that are inside daily or weekly history files
  • [EVTX input] Fixed a flaw with the EVTX library, where timestamps appear as zero value
  • [EVTX library] Updated the EVTX library to the latest version, 1.0.4
  • Modified the dependencies, change the library Digest::Crc32 to Digest:Crc
  • Created an Ubuntu repository to make the installation process easier. I created Debian packages for those modules that do not have any packages as of yet in the official Debian repository.
  • Log2timeline has also been included in the CERT forensics repository (for Fedora). So add the CERT repostory to your Fedora workstation (http://www.cert.org/forensics/tools/) and issue yum install log2timeline. All dependencies should be fixed as well.
  • [FIREFOX2 input] Added a Firefox 2 input module to parse the history.dat mork file
  • [OXML input] Fixed a minor bug, uninitialized array that caused timescanner to reuse timestamps from previous documents

More changelog

PNG - 40 kb

Current Input Modules

log2timeline currently supports parsing the following formats:

  • Google Chrome history
  • Windows Event Log files (EVT)
  • Windows Event Log files (EVTX)
  • EXIF. Extracts exif information or metadata from various media files
  • Firefox bookmarks
  • Firefox 3 history
  • Internet Explorer history files, parsing index.dat files
  • Windows IIS W3C log files
  • ISA server text export. Copy query results to clipboard and into a text file
  • Mactime body files (to provide an easy method to modify from mactime format to some other)
  • Opera Global and Direct browser history
  • OpenXML metadata, for metadata extraction from Office 2007 documents
  • PCAP files, parsing network dump files created by tool such as Wireshark and tcpdump (PCAP)
  • Windows Prefetch directory
  • Windows Recycle Bin (INFO2 or I$)
  • Windows Restore Points
  • Windows XP SetupAPI.log file
  • Adobe Local Shared Object files (SOL/LSO), aka Flash Cookies
  • Squid Access Logs (httpd_emulate off)
  • TLN (timeline) body files
  • UserAssist key of the Windows registry
  • Windows Shortcut files (LNK)
  • Windows XP Firewall Log files (W3C format)

Current Output Modules

log2timeline currently supports exporting timeline into the following formats

  • CEF. Common Event Format as described by ArcSight
  • CFTL. A XML file that can be read by CyberForensics TimeLab (for timeline visualization)
  • CSV. Dump the timeline in a comma separated value file (CSV) to easily import it into spreadsheet or use with scripts
  • Mactime. Both older and newer version of the format supported for use by TSK’s mactime
  • SIMILE. An XML file that can be read by a SIMILE timeline widget for timeline visualization
  • SQLite. Dump the timeline into a SQLite database, that can be read by possible future visualization tools
  • TLN. Timeline format that is used by some of H. Carvey tools

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Related Articles

Configurations checks
Forensics
log2timeline